Image: David Paul Morris/Bloomberg via Getty Images
Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
A series of Samsung apps that allow customers to control their internet-connected appliances require access to all the phone’s contacts and, in some cases, the phone call app, phone’s location, and camera. Customers have been furious about this for years.
This is a common complaint.
“When I launch the app, the damned thing wants all sort of permissions: location, phone calls, media, and … contacts??? The app won’t work without these permissions,” another Reddit user grumbled last year, referring to another Samsung app—called Smart Home—that requires the same seemingly exaggerated permissions. “Why would the Samsung Smart Home app need access to my contacts?”
The reviews for these two apps, both of which have more than a million installs according to their stats on the Google Play store, aren’t very positive either. The Smart Washer App has an average of 2.1 stars, thanks to a slew of reviews that mention the unnecessary permissions.
“This app is pointless. It asks for bogus permissions to phone, camera, contacts, location, etc. (pretty much everything needed to monitor your life), then closes when you deny permission to even one of them. What’s the point of an app that just closes when I don’t let it spy on me?” one user wrote.
In their recent reviews, other users’ call the permissions “absurd,” “unacceptable,” “pesky,” and “awful.” One user even called it “spyware.” Reviews for the Smart Home app—with 2.7 stars on the Google Play store—also include similar complaints about the permissions.
These situations speak to two issues: Apps that demand permissions that they don’t need, and “smart” and internet of things devices that make formerly simple tasks very complicated, and open up potential privacy and security concerns.
Generally speaking, over the last few years, people have become more sensitive to what they’re giving up in privacy and potentially security when they deal with big tech companies. Smart TVs (Samsung included), for example, have been caught listening to users and automatically deliver ads. Tech companies have had to adapt and do better. For example, both Apple and Google allow users to see what data an app has access to, and in some cases users can toggle the permissions individually. The upcoming new version of Android will even have a dedicated “Privacy Dashboard” where users can see which apps used what permissions, and revoke them if they want. Apple’s iOS has similar functionality. But none of this stops app developers from asking users to accept unnecessary permissions.
It’s unclear why apps that are designed to let you set the type of washing cycle you want, or see how long it’s gonna take for the dryer to be done, would need access to your phone’s contacts. In an FAQ for another Samsung app, the company says it needs access to contacts “to check if you already have a Samsung account set up in your device. Knowing this information helps mySamsung to make the sign-in process seamless.”
Samsung did not respond to a request for comment.
While there are a lot of people who use these apps, judging from the recent reviews, the Smart Washer and Smart Home apps have not received an update since October 7, 2020, suggesting Samsung does not support them anymore. On its US site, Samsung advertises a smart washing machine with a newer app called SmartThings App, which has less invasive permission requirements compared to the older apps.
The SmartThings app, according to its Google Play store page, doesn’t list any required permissions, indicating that “you can use the app without optional permissions, but some functions may be limited.” The optional permissions include access to:
• Location: Used to find nearby devices using Bluetooth or BLE and to automate actions using GPS (GPS is optional)
• Camera: Used to scan QR codes
• Contacts: Used to get phone numbers of your contacts to send text message notifications
• Microphone: Used to provide voice control features
• Storage: Used to save data and to transfer files and content using the app
• Phone: Used to make calls on smart speakers and to show information about the sender when sharing content with another device
If you have a Samsung internet-connected appliance, and are uncomfortable letting its app see all your friend’s phone number, try using the newer app, or maybe just use the washer the good old fashioned way—without a phone.
Subscribe to our cybersecurity podcast, CYBER.